Whitepaper O PE N S OU RCE I N T E L L I G E N CE DECEMBER 2020 By Casey Brooks & Selena Larson DRAGOS, INC. Intel@Dragos.com @DragosInc OPEN SOURCE INTELLIGENCE E X ECU T I V E SUMM A RY Publicly and semi-publicly available data, referred to as open source intelligence, can enable an adversary to develop targeting, identify access and ingress to a target, and understand how a target may respond to disruptive attacks on infrastructure. Adversaries who target Industrial Control Systems (ICS) for disruptive purposes seek open source information to plan and execute attacks that are different from adversaries targeting traditional enterprise resources. For example, Dragos observed adversaries conducting ICS-targeting activities that sought data about energy infrastructure and physical processes necessary to recover from a compromise. With this data, an adversary could target operational functions that are pertinent to recoverability to further the consequences of an attack. Dragos created an Open Source Intelligence (OSINT) collection risk framework to help defenders better identify and restrict openly available information most valuable to adversaries intending to disrupt critical infrastructure. This framework helps prioritize countermeasures and mitigations to deny an adversary the opportunity to use OSINT collection against a victim. D R AG O S , I n c . 1 OPEN SOURCE INTELLIGENCE TA B L E OF CON T EN T S What is Open Source Intelligence?.......................................................................................3 Key Information Types.......................................................................................................................... 4 Targeting ICS...........................................................................................................................5 Developing an OSINT Security Assessment....................................................................... 6 Scope the Scenarios............................................................................................................................... 6 Collaborate Across the Company....................................................................................................... 6 Detail the System and Network........................................................................................................ 6 Identify Sources and Collect Information........................................................................................ 6 Conduct Analysis and Risk Assessment ......................................................................................... 7 OSINT Collection and Risk Scoring Matrix.......................................................................... 7 Priorities of Defense and Mitigation................................................................................... 8 OSINT Collection Mitigation and Vulnerability Remediation..........................................10 Taking Actions.......................................................................................................................10 Conclusion...............................................................................................................................11 Appendix................................................................................................................................ 12 Definitions............................................................................................................................................... 12 PODAM Worksheet............................................................................................................................. 14 D R AG O S , I n c . 2 OPEN SOURCE INTELLIGENCE WH AT I S OPEN S OURCE I N T EL L IGENCE ? OSINT covers a wide variety of applications. Fundamentally, OSINT refers to the collection of publicly and semi-publicly available information that is used to inform multiple functions including intelligence gathering and reporting, business and policy analysis, and adversary attack development. For the purposes of this report, Dragos will focus on OSINT from a cyber threat intelligence perspective, with applications for Industrial Control System (ICS) asset owners, ICS operators, and adversaries. Adversaries and defenders collect OSINT from a variety of sources. This is not an exhaustive list but demonstrates the types of publicly available information that could facilitate attack planning: Reconnaissance tools such as Shodan 1 or Censys 2 Onng engines such as VirusTotal 3 Bn portals such as VendorLink 4 engines Government and regulation authority body UsingSearch tools like the OSINT Framework 5 » » » » » » » Social media websites 1 Job listings » News websites » Company websites » Vendor websites and documentation including » installation documentation containing default passwords » websites » Reconnaissance tools such as Shodan or Censys 2 Online scanning engines such as VirusTotal 3 Business solicitation portals such as VendorLink 4 Usernames and passwords in public repositories dumped by adversaries or stored in GitHub Using tools like the OSINT Framework 5 Financial and legal resources such as 10-K filings or indictments 1 https://www.shodan.io/ 2 https://censys.io/ 3 https://virustotal.com/ 4 https://www.myvendorlink.com/common/default.aspx 5 https://osintframework.com/ D R AG O S , I n c . 3 OPEN SOURCE INTELLIGENCE K E Y INFORM AT I ON T Y PE S Adversaries may seek multiple types of information in an Recoverability Information: Gives an adversary insight attempt to conduct reconnaissance on a target and create a into the ability for a target’s process, system, or network plan of attack. Identifying this information and educating infrastructure to recover from an attack or compromise. company personnel on the potential risks of public exposure Example: Information about electric can enable defenders to proactively assess or remove potential utility service restoration in the event of information that can be weaponized. a disruptive event. The following definitions can help identify relevant and potentially exploitable information, based on the United States (U.S.) Department of Defense CARVER matrix, and assist in 6 establishing risk language used in the OSINT framework . Personal/Personnel Information: Allows for identification Vulnerability Information: Informs an adversary of a vulnerability that exists in the target’s infrastructure, processes, or response actions. of critical personnel, general personnel, or outside source Example: An unpatched vulnerability personnel (e.g. contractors, third-party operators) affecting Virtual Private Network (VPN) appliances that enables initial access. Example: LinkedIn profiles or construction contractors building a Effect Information: Information about the amount of new facility for the target. direct or indirect loss a target would have from an attack or compromise. Information on the effects that losses would have on the target, its organization, processes, or operations. Criticality Information: Informs an adversary of the impact of an attack for a target’s continued operations. A target’s Example: criticality is determined if its compromise or destruction has disruptive cyberattack targeting a a highly significant impact in the overall organization and its Safety Instrumented System (SIS); ability to conduct business or operations. financial losses accrued from multiple Physical effects of a days of downtime. Example: “Crown Jewels” 7 of operations, like safety controllers in oil and gas operations or data historians in manufacturing. Recognizability Information: Assists adversaries in the ease of identifying targets for operational gain and the level of obscurity that the target has from internal and external sources. Accessibility Information: Informs the adversary of the ability or method to remotely/physically access or egress from a target. Example: Example: Remote Desktop Protocol MAC address of target workstation within the ICS. (RDP) exposed to the internet. 6 https://en.wikipedia.org/wiki/CARVER_matrix 7 https://dragos.com/blog/industry-news/combating-cyber-attacks-with-consequence-driven-ics-cybersecurity/ D R AG O S , I n c . 4 OPEN SOURCE INTELLIGENCE TA RGE T ING I C S When mapped to the ICS Cyber Kill Chain, 8 OSINT largely in downtime. In these cases, an operator may be more willing represents Stage 1 reconnaissance activity that can support to pay a ransom to unlock computers and limit downtime, Stage 2 objectives. It can be used to identify potential especially if proper backups are not maintained. For example, vulnerabilities, identify detections, implement persistence in July 2020, wearables manufacturer and Global Positioning mechanisms, or reduce the time required to achieve objectives System and avoid detection. Details on equipment, vendors, and ransomware attack and opted to pay an undisclosed ransom to processes can be used for later malware or malicious tool get its operations back online.10 development. (GPS) service provider Garmin experienced a ICS environments may also be more insecure than Adversaries target industrial entities for a variety of traditional enterprise systems, especially for entities with reasons. Attacks on ICS entities that serve critical functions immature cybersecurity postures. This can be due to legacy within society can be used to further political, economic, or operating systems in use across various environments and national security goals. Depending on an adversary’s objective, inadequate segmentation. It is not uncommon to observe attacks can be used for messaging purposes or retaliation. The outdated Windows operating systems, such as Windows XP potential impact may extend to citizens of a target’s community. or Windows 7, within ICS due to interoperability of some ICS Understanding critical infrastructure can put an adversary at a devices and limitations on patch management. ICS systems are tactical advantage in times of conflict to establish a foothold as fundamentally complex, and security mechanisms like patching a contingency option when conflict occurs. are conducted based on weighing the risk of compromise Targeting ICS can provide monetary value to an adversary. ICS entities increasingly experience ransomware attacks that, in many cases, disrupt operations. 9 For some companies, disrupting operations can have significant daily financial impacts, costing thousands and sometimes millions of dollars against the outcome of a potential cyberattack. Practicing defense in depth, including conducting OSINT risk assessments to strengthen external security postures and limiting the ability for adversaries to operationalize public information, can prevent initial access and movement within an operational environment. 8 https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297 9 https://dragos.com/blog/industry-news/assessment-of-ransom- 10 https://www.bleepingcomputer.com/news/security/confirmed-garmin-re- ware-event-at-u-s-pipeline-operator/ ceived-decryptor-for-wastedlocker-ransomware/ D R AG O S , I n c . 5 OPEN SOURCE INTELLIGENCE DE V ELOPI NG A N O SI N T SECUR I T Y A S SE S SMEN T By identifying and prioritizing data that could be used in OSINT collection, defenders can establish methods to reduce the availability of potentially high-risk company and user data and limit the information an adversary can use in a potential attack. Scope the Scenarios Defenders should begin by scoping multiple scenarios and potential for attacks. These can be identified from examples of known cyberattacks, results of tabletop exercises and red team activities, and scenarios developed by internal security teams. The goal of this step is to identify the type of adversary or attack that defenders try to prevent. Dragos advises leveraging consequence-driven security assessments to identify adversary objectives and how to combat them. The Dragos Crown Jewel Analysis model policy functions the information serves. Detail the System and Network A detailed map of the network should be developed and maintained to visually describe where information is hosted, stored, and maintained via system diagrams, flow charts, or network maps. The map should also detail context of the information hosted. For example, when evaluating a web portal that hosts contractor information and third-party network access, the content of the information hosted should be as detailed as the technical specifications of the actual hosting server. The quality and quantity of useful data should be noted and assessed if additional intelligence can be generated from it in aggregate. Identify Sources and Collect Information of consequence-driven ICS cybersecurity scoping helps Source identification is an important step in the collection defenders visualize how an adversary would access the process. Defenders can use the resources described above system to achieve a specific consequence 11 . By identifying to find relevant, publicly available information. However, assets within the system and the functional outputs sources will vary for individual companies. Asset owners and dependencies, the level of exposure, and interaction and operators should also consider information exposed between each network layer, organizations can visualize by third-party entities that could be used in reconnaissance how an adversary may achieve a specific consequence by operations. For example, a vendor may publish case studies targeting different elements within the system. or press releases describing how customers implement specific products or services within their operations Collaborate Across the Company It is important that OSINT assessments leverage experience and data across multiple teams. Security operators and network technicians from Information Technology (IT), incident responders and forensic specialists, security operators and engineers from ICS environments, and physical security specialists should be consulted while conducting the assessment. These individuals can provide insight on the value of information from an adversary perspective and how OSINT can enable potential attack scenarios. Additionally, business units including human resources and legal should also be consulted to identify publicly available information and the requirements or environment, which could provide adversary insight into what technologies are used in a target environment. Information collection should focus on publicly available information that could be used to facilitate reconnaissance or attack development. This includes information about vendors and partners; documents, schematics, and data sheets; job advertisements; information about system operations and recovery processes; geographic data like maps detailing plant locations; ports and services identified via Shodan; and credentials in public dumps. Security teams should also identify gaps in security architecture, like remote login portals that lack strong passwords and multi-factor authentication including RDP and VPN services. 11 https://dragos.com/wp-content/uploads/ConsequenceDrivenICSCybersecurityScoping_Dragos.pdf D R AG O S , I n c . 6 OPEN SOURCE INTELLIGENCE Conduct Analysis and Risk Assessment Once data is collected, users should determine how an adversary may operationalize data to achieve objectives outlined in potential attack scenarios. Data should be assigned severity scores on the risk that data poses to the organization, based on the matrix in Figure 1. For example, information that could facilitate initial access and is easily accessible to the adversary should be assigned a higher score compared to information that does not enable an adversary to fulfill an attack objective and is difficult to obtain. Example: A piece of information (e.g. error logs, system headers, etc.) describes a server running a vulnerable piece of software, but it is unknown how or if the adversary uses the information. The information is highly accessible and recognizable, and likely easy for the adversary to use. In combination with other collection by an adversary, this software vulnerability information has a higher score than just the individual piece of information. OSINT Collection and Risk Scoring Matrix To enable asset owners and operators to better understand the risk that openly collected information poses to an organization, Dragos developed the OSINT Collection and Risk Scoring Matrix. With this matrix, users can quickly apply scores to identified information and the risk of an adversary operationalizing it against them. The data is rated from one to three and by color, including green, orange, and red. The higher the number, the greater the value of the OSINT to an adversary. Green indicates a low value item and red indicates a high value item. The colors help an analyst determine how to quickly prioritize remediation and defense. This is explained in the Priorities of Defense and Mitigation section below. OSINT Collection Risk and Vulnerability Matrix Information is of Low Information is of Medium Information is of High Relevance/Importance for Relevance/Importance for Relevance/Importance for Intelligence Collection Intelligence Collection Intelligence Collection Adversary utilization 2 3 3 1 2 3 1 2 2 requires little to no analytical effort for operational integration Adversary utilization requires moderate to specialized analytical effort for operational integration Adversary utilization requires highly technical analytical effort for operational integration Figure 1: OSINT Collection and Risk Scoring Matrix Example: An OSINT assessment identified a document containing engineering diagrams of an oil production facility. The document included device type and implementation information of safety systems and integration of Enterprise Resource Planning (ERP) software. This document was found in a vendor Request for Proposal (RFP) repository. D R AG O S , I n c . 7 OPEN SOURCE INTELLIGENCE This document is scored as a 3 and is of high value and importance of each piece of information is designated by relevance to an adversary interested in infiltrating or color, like Figure 1 above. Different characters represent the disrupting operations. It requires specialized analytical ability for an entity to mitigate the potential risk, and if risk effort for intelligence value for an adversary. This means mitigation is an issue of policy or prioritization. to use information from this document, an adversary must establish knowledge of the ICS environment, devices, and software used. The table is an example of how an analyst can determine the priorities of defense and mitigation based on open source data collected. The legend icons represent requirements Example: An OSINT assessment of 10-K and the ability for the company to implement defensive financial filings identified an automotive measures to prevent exploitation of the data, what actions manufacturing working should take priority, if a network policy configuration is with Accounting Firm X to facilitate the required to fix, and if data came from threat intelligence acquisition of an additive manufacturing reporting. The colors represent the value of the intelligence startup. A LinkedIn search identified the gathered to adversary operations. organization name of the accountant at Accounting Firm X likely working on this acquisition. Example: An analyst collects three different types of information: the This information is scored a 2. The adversary requires location of facilities, names and emails moderate analytical effort to operationalize this data, and it of engineers, and vendor names and would be straightforward to create phishing lures based on contract information of companies the information identified. The adversary requires additional they access, like to the accountant’s email directly, to launch a uses this information in different likely successful phishing attack. This information is also of ways for low importance for intelligence collection because it is only and infrastructure tangentially related to the target organization. operations. An analyst must identify work with. An targeting, adversary exploitation, development how it may be used, the importance of the data based on the Risk Scoring Priorities of Defense and Mitigation Matrix above, and if the organization As information is assessed and scores assigned, defenders has adequate visibility, defensive can leverage the Priorities of Defense and Mitigation measures, and security policies in (PODAM) table to visualize how collected data could place to prevent exploitation of the be operationalized, the value of the information, and if information. The analyst completes protections and mitigations are in place to address the the table as provided in the example potential risk. below. The PODAM table used to assess OSINT collection contains multiple examples and potential use cases for Analyst Note: A full list of definitions detailing the data operationalizing OSINT including target identification, types and how information can be used is available in the exploitation, appendix. An empty PODAM worksheet is also provided in infrastructure development, delivery, capabilities development, and actions on the objective. The D R AG O S , I n c . the appendix for use in security operations. 8 OPEN SOURCE INTELLIGENCE Table 1: Sample Adversary OSINT Collection PODAM By using this table, an analyst can determine the highest priority items to address. In this case it is publicly available vendor names and contracts. The following are recommended steps for remediation plans to begin addressing the issues: • Remove sensitive information from public sources where applicable. • Conduct an assessment of third-party and vendor integrations within the operations environment. • Ensure third-party connections are properly secure with access restrictions, Multi-Factor Authentication (MFA), segmentation, and defense in depth measures. • Work with vendors and contractors to identify and acknowledge maintenance and related operations in advance to determine schedules and baseline legitimate activity. D R AG O S , I n c . 9 OPEN SOURCE INTELLIGENCE OSINT Collection Mitigation and Vulnerability Remediation Regardless of the issues identified, all mitigation efforts should include defense in depth approaches to prevent Once defense and mitigation priorities are established, a single point of failure within the system or network. users should identify corrective actions to prevent or Visibility of assets is crucial to implement effective defense lower the risk of adversaries exploiting vulnerabilities or in depth approaches to establish barriers to entry, secure operationalizing information identified in the previous or restrict communications between assets, and identify stages of the assessment. These can include issuing patches anomalous behaviors. This requires a complete view of an to vulnerable hardware and applications, removing sensitive organization’s assets. data from public websites or databases, implementing MFA to access documentation on cloud storage systems, and changing default passwords on devices within the ICS. Taking Action Based on the information gathered and the assessed risk to Users should conduct this section of the assessment in two the organization, users should implement remediation plans parts: one for hardware and physical systems and the other that focus on the most critical to least critical information for for software and user policies. Each assessment should adversary operationalization. Plans should be documented include a description of the vulnerability or issue identified, and include realistic timelines required to address issues and how the company can correct it, and the resources required identify the entity responsible for addressing, removing, or to do so. The assessment should include any potential correcting information and vulnerabilities. obstacles that prevent the company from implementing the recommended fixes. Once an assessment is completed, the results should be To illustrate the potential risk the vulnerabilities or resources, who may need to alter job descriptions based information pose to an organization, defenders are on feedback, and public policy teams, who regularly share encouraged to leverage threat intelligence reporting that publicly accessible data with regulators, municipal, state, provides examples of adversaries operationalizing identified and federal agencies. shared across teams. This includes entities like human issues and consequences of activities. D R AG O S , I n c . 10 OPEN SOURCE INTELLIGENCE CONCLU SI ON Conducting regular OSINT collection risk assessments as part of quarterly or bi-annually scheduled cybersecurity reviews can improve an organization’s defense against adversary operationalization of publicly available information and exploitation of known vulnerabilities. By following the framework introduced above, defenders can better identify potential risk to an organization, understand the risk of publicly exposed data, and create mitigation strategies that effectively reduce risk. TO LE ARN MORE ABOUT DR AGOS AND OUR TECHNOLOG Y, SERVICES , AND THRE AT INTELLIGENCE FOR THE INDUSTRIAL COMMUNIT Y, PLE A SE VISIT W W W. DR AGOS .COM . D R AG O S , I n c . T HA N K YO U 11 OPEN SOURCE INTELLIGENCE A PPENDI X Definitions spoofing domains, supply chain compromise, or for The following definitions describe the various types of information associated with the PODAM. information on trusted party relationships involved with business operations that can enable phishing opportunities. Establishment - An adversary’s operational process of Personnel - Individual people who have an OSINT footprint. This can help an adversary identify targets that could be a likely source for access and exploitation. Technology - Information about specific technology that is present in the defended environment. This information can come from personnel profiles, job listings, or fingerprinting by the adversary. Organizational - Information about the organization’s physical location, partnerships, business details, etc. that can be used to develop targeting. Vulnerability - A vulnerability existing in a business or operational process that informs an adversary for a likely avenue of exploitation. creating infrastructure, developing and testing capabilities, and performing the initial planning stages for reconnaissance and targeting. Staging - An adversary’s operational process of preparing infrastructure and capabilities to act in unison for use in delivery, exploitation, or command and control functions. Staging can also be initiated when a part of infrastructure is transferred from inactive to active hosting. Phishing - An adversary can use a combination of either adversary controlled or legitimate compromised infrastructure and phishing themes to lure victims into a false sense of security and evade scrutiny. This can often lead to having victims visit watering holes, avoiding immediate detection by security operations or technologies, Social Engineering - A method used to trick a user to activate or download a delivered capability, or to provide information to the adversary as a trusted party. and creating a trust relationship with the adversary sender. Watering Hole - An adversary-controlled or legitimate but compromised domain that the adversary uses to lure Supply Chain - An entity or entities that enable the victims to gather information, deliver capabilities, or collect production or operation of a business process. It acts as an credentials for legitimate access. avenue into a victim environment via trusted channels or connections. delivery of additional capabilities without need of victim Domain Spoof - A tactic of establishing infrastructure that mimics or closely matches a trusted domain or entity infrastructure. This can be used for delivery, command and control, or for social engineering. Legitimate Compromise - A tactic adversaries use to gain access to an indented victim by exploiting trust or the legitimate nature of another domain or organization. This is most often observed as a command and control point for interaction with a victim, avoiding the necessity of establishing and maintaining adversary created infrastructure. Vendor Supply Chain - This informs an adversary of potential targets for legitimate compromises, crafting D R AG O S , I n c . Downloader/Dropper - A capability that enables the interaction. Credential Capture - A method an adversary uses to collect legitimate credentials that enables access to targeted victim. Legitimate Access - A method in which an adversary uses captured credentials, harvested credentials from OSINT information, or brute force authentication to achieve access as a trusted, legitimate user. This also occurs when an adversary is able to create user personas in a victim environment to allow for persistent access without relying on backdoors or other capabilities that enable illegitimate access. Authentication Bypass - This technique involves finding infrastructure that allows for access behind an authentication 12 OPEN SOURCE INTELLIGENCE A PPENDI X control, but a vulnerability exists in either the technology or performing offensive tasks without automation or or organizational process for access approval, or a valid user the use of capabilities to achieve information collection, account was compromised to let an adversary bypass this reconnaissance, persistence, or exfiltration. authentication gate. Command and Control - The channels an adversary uses to Research and Development - A business function that direct its operations, enabling bi-directional communication generates new information of value for an adversary or of information. that contains intellectual property that is either not publicly Persistence - The method of maintaining access and available or patented. Automation - A process that follows specific steps without manual or user interaction. Evasion - A capability design, tactic, or technique taken by an adversary for avoiding detection by security infrastructure, technology, or defender manipulation. command and control within a victim environment. Maneuver - The method used to move within a victim environment. Cyber Key Terrain - Infrastructure, processes (either business, technical, or personnel) or technology that is essential to the operational integrity, confidentiality, and Obfuscation - A capability design, tactic, or technique taken availability of a network. by an adversary to avoid scrutiny. Defense Capability Gap - A gap in organizational structure, Installation - The process in which an adversary is able network architecture, cybersecurity, or user policies to load a capability into a victim environment and gain that would be required for defense against adversary successful execution of the capability to allow for further exploitation. access or continued interaction operations. Missing Dependency - A security feature or mechanism Environment Awareness - The ability for an adversary to that enables a core security function but is not present determine where in the victim network they are located, within the environment. identifying infrastructure for pivoting or information Requires Implementation - A security feature or mechanism that better enables capability selection in compromise operations. that is present within in an organization, but is not yet implemented, and is required for defense against adversary Weaponization - The activity performed by an adversary exploitation. to take a vulnerability or benign software or documents Intelligence Data - Information gleaned from threat and turn it into an operational capability that can lead to satisfying adversary intent. Interactive Operations - The activity wherein the actor accesses the victim environment through manual means D R AG O S , I n c . intelligence data, either from a third-party or an organization’s internal threat intelligence team. Policy Issue - An item that requires a change in organizational or user policy to address. 13 OPEN SOURCE INTELLIGENCE D R AG O S , I n c . 14